{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27939", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.689Z", "datePublished": "2026-02-27T21:34:39.107Z", "dateUpdated": "2026-02-27T21:34:39.107Z"}, "containers": {"cna": {"title": "Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789"}, {"name": "https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": ">= 6.0.0, < 6.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T21:34:39.107Z"}, "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user\u2019s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0."}], "source": {"advisory": "GHSA-rw9x-pxqx-q789", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user\u2019s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0."}], "id": "CVE-2026-27939", "lastModified": "2026-02-27T22:16:22.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-27T22:16:22.993", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a"}, {"source": "security-advisories@github.com", "url": "https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}